[Solved] PolarSSL The certificate format is invalid, e.g. different type expected

Official client software for OpenVPN Access Server and OpenVPN Cloud.
Locked
tzmmtz
OpenVpn Newbie
Posts: 4
Joined: Thu Oct 13, 2016 8:42 pm

[Solved] PolarSSL The certificate format is invalid, e.g. different type expected

Post by tzmmtz » Thu Oct 13, 2016 8:47 pm

Trying to install profile sent by email and get this error on iPhone running 9.3.5. and OpenVPN v1.0.7 build 199.

PolarSSL : error parsing ca certificate : X509 - The certificate format is invalid, e.g. different type expected

This same profile works fine if importing by iTunes.

Anyone have any clues?

Here is the full log..,

Thanks in advance for any help.

2016-10-13 16:32:30 ----- OpenVPN Start -----
OpenVPN core 3.0.11 ios arm64 64-bit built on Apr 15 2016 14:13:50
2016-10-13 16:32:30 Frame=512/2048/512 mssfix-ctrl=1250
2016-10-13 16:32:30 EVENT: CORE_ERROR PolarSSL: error parsing ca certificate : X509 - The CRT/CRL/CSR format is invalid, e.g. different type expected [ERR]
2016-10-13 16:32:30 Raw stats on disconnect:
2016-10-13 16:32:30 Performance stats on disconnect:
CPU usage (microseconds): 2433
Network bytes per CPU second: 0
Tunnel bytes per CPU second: 0
2016-10-13 16:32:30 EVENT: DISCONNECT_PENDING
2016-10-13 16:32:30 ----- OpenVPN Stop -----

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: PolarSSL The certificate format is invalid, e.g. different type expected

Post by TinCanTech » Fri Oct 14, 2016 10:37 am

What is in the profile ?

tzmmtz
OpenVpn Newbie
Posts: 4
Joined: Thu Oct 13, 2016 8:42 pm

Re: PolarSSL The certificate format is invalid, e.g. different type expected

Post by tzmmtz » Fri Oct 14, 2016 12:00 pm

The iphone.ovpn file and a ca.crt. The xxx's represent the dns name which are removed for this public post. Here is the contents of the .ovpn file.

Thanks for your thoughts TinCanTech.

dev tun
client
resolv-retry infinite
nobind
remote xxx.xxx.com 1195 udp
remote xxx.xxx.com 443 tcp
tls-client
ns-cert-type server
ca ca.crt
comp-lzo
persist-key
persist-tun
verb 3
auth-user-pass

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: PolarSSL The certificate format is invalid, e.g. different type expected

Post by TinCanTech » Fri Oct 14, 2016 12:28 pm

Remove --ns-cert-type server and try again.

tzmmtz
OpenVpn Newbie
Posts: 4
Joined: Thu Oct 13, 2016 8:42 pm

Re: PolarSSL The certificate format is invalid, e.g. different type expected

Post by tzmmtz » Fri Oct 14, 2016 6:01 pm

At this point I'm a bit mixed up, especially now that I have so many different test files. So, I just restarted from scratch and let me restate....

If I import through iTunes it works fine when the file is a package called iphone.ovpn containing the .ovpn file and the ca.crt. Here is what is in the .ovpn and I just removed the ns-cert-type server and verified it still works.

dev tun
client
resolv-retry infinite
nobind
remote xxx.xxx.com 1195 udp
remote xxx.xxx.com 443 tcp
tls-client
ca ca.crt
comp-lzo
persist-key
persist-tun
verb 3
auth-user-pass


When I sent that by email it wouldn't even import into the OpenVPN app. All I see after clicking on the email attachment is iphone.ovpn OpenVPN Profile 192 bytes and swipe left I see ca.crt certificate (x.509) 1kb

So, my first question now is what is the proper way to email? What I've been trying is...Creating a single file and emailing which then gave me the option to import into OpenVPN profile. But I still get the original error.... PolarSSL The certificate format is invalid, e.g. different type expected.

Thanks for your help!

client
dev tun
client
resolv-retry infinite
nobind
remote xxx.xxx.com 1195 udp
remote xxx.xxx.com 443 tcp
tls-client
comp-lzo
persist-key
persist-tun
verb 3
auth-user-pass
<ca>
----BEGIN CERTIFICATE-----
MIIDyDCCAzGgAwIBAgIJAOK+fV7fRe19MA0GCSqGSIb3DQEBBQUAMIGfMQswCQYD
VQQGEwJBVDELMAkGA1UECBMCV0kxDzANBgNVBAcTBlZpZW5uYTETMBEGA1UEChMK
Qm9uam91clZQTjERMA8GA1UECxMIU2VjdXJpdHkxEzARBgNVBAMTCmJvbmpvdXIt
Y2ExEzARBgNVBCkTCmJvbmpvdXItY2ExIDAeBgkqhkiG9w0BCQEWEXZwbkBib25q
b3VyLmxvY2FsMB4XDTE0MDIyMTA4MjAxOFoXDTI0MDIxOTA4MjAxOFowgZ8xCzAJ
BgNVBAYTAkFUMQswCQYDVQQIEwJXSTEPMA0GA1UEBxMGVmllbm5hMRMwEQYDVQQK
EwpCb25qb3VyVlBOMREwDwYDVQQLEwhTZWN1cml0eTETMBEGA1UEAxMKYm9uam91
ci1jYTETMBEGA1UEKRMKYm9uam91ci1jYTEgMB4GCSqGSIb3DQEJARYRdnBuQGJv
bmpvdXIubG9jYWwwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALCRld9lo++2
mFdZbo7nIViM9NW+Vvfyh+3qWZCbRGEcsB8AGU4k7lg5p7MHjcnSMkjbgOnsLkaL
bYhtU3TxpVbmT3S4tOmbuV09pcUG/I2lCh8LokqI3ctuInLzWaQBxg+7eQ3kLLZh
w3UJKolUmwG/MJC830IbOGUHux856tj3AgMBAAGjggEIMIIBBDAdBgNVHQ4EFgQU
KPh5K13jX9XH+kWDS2LYbriowlUwgdQGA1UdIwSBzDCByYAUKPh5K13jX9XH+kWD
S2LYbriowlWhgaWkgaIwgZ8xCzAJBgNVBAYTAkFUMQswCQYDVQQIEwJXSTEPMA0G
A1UEBxMGVmllbm5hMRMwEQYDVQQKEwpCb25qb3VyVlBOMREwDwYDVQQLEwhTZWN1
cml0eTETMBEGA1UEAxMKYm9uam91ci1jYTETMBEGA1UEKRMKYm9uam91ci1jYTEg
MB4GCSqGSIb3DQEJARYRdnBuQGJvbmpvdXIubG9jYWyCCQDivn1e30XtfTAMBgNV
HRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAJDx+DLbiCP3GM/6Gd4Ih0aQzWsz
CDjjcLEdTcEExM8Fn/rqrgEmE6jrtNXn4kKE2Y/Qk4Jud1PGEiXmEoKRTiZTY7m1
RBG8ZHoVWk6Pz2ZUeCT7rpxsspdXPyPt0vAFCPHs5v1RYyu4lkgHJ0N68ih7n831
E8Hc3CAbda1wAzW6
-----END CERTIFICATE-----
</ca>

tzmmtz
OpenVpn Newbie
Posts: 4
Joined: Thu Oct 13, 2016 8:42 pm

Re: PolarSSL The certificate format is invalid, e.g. different type expected

Post by tzmmtz » Mon Oct 17, 2016 1:06 am

We got it working by telling IOS not to look for a profile ssl cert in the config because we don't use that. We use the username/password combo instead.

Everything fine now.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: PolarSSL The certificate format is invalid, e.g. different type expected

Post by TinCanTech » Mon Oct 17, 2016 11:16 am

Thanks for letting us know your solution 8-)

Locked